Ransomware: History Analysis & Mitigation
An hour long look at ransomware's beginnings, ransomware in the news, variants throughout the years, cutting edge malware analysis, and mitigation techniques.
Andy Thompson is a member of the Shadow Systems Hacker Collective, and Dallas Hackers Association, I'm active in the Dallas InfoSec community. Currently a Technical Advisor for CyberArk Software, I work with Fortune 500 companies assisting them in advancing their CyberSecurity Programs.
2. @NTXISSA #NTXISSACSC3
Whoami ā Andy Thompson - @R41nM4k3r
ā¢ Customer Success Strategic Advisor ā CyberArk
Software
ā¢ B.S. MIS ā University of Texas at Arlington
ā¢ COMPTIA A+ & Sec+
ā¢ VMWare VCA-DCV
ā¢ (ISC)2 SSCP & CISSP
ā¢ Married, Father of 2 girls.
ā¢ Member of Shadow Systems Hacker Collective
ā¢ Member of Dallas Hackers Association
3. @NTXISSA #NTXISSACSC3
Agenda
ā¢ Overview
ā¢ in the News
ā¢ Timeline
ā¢ Technical Analysis
ā¢ Analysis of Client Infection
ā¢ Command & Control (C2) Architecture
Setup/Design
ā¢ Evolved Ransomware
ā¢ Mitigation techniques
ā¢ Final thoughts
14. @NTXISSA #NTXISSACSC3
Malvertising
ā¢ Up 325% from 2014-2015
ā¢ Recently as of March 15th, 2016
ā¢ Companies outsource their advertising
through advertising networks
ā¢ Tainted ads with the Angler toolkit.
ā¢ Nytimes, BBC, MSN, AOL, Answers.com,
ZeroHedge, Infolinks, my.xfinity, nfl, realtor.com,
theweathernetwork, thehill, and newsweekall
served up ransomware.
ā¢ Other victims include:
ā¢ Spotify, TMZ, Skype, Ebay, Drudge Report, and
many many many others.
38. @NTXISSA #NTXISSACSC3
Petya ā The MBR Encryptor
ā¢ Rewrites systems MBR and forces BSOD.
ā¢ Fake ācheck diskā runs and encrypts Master
File Table.
ā¢ Masquerades as a job application
ā¢ Links to a shared dropbox folder containing
self extracting archive containing applicant
resume and fake photo
39. @NTXISSA #NTXISSACSC3
PowerWare ā Using your own tools against you.
ā¢ Disguised in spam as an āinvoiceā
ā¢ Leverages MS Word and Native
PowerShell.
ā¢ Does not pull down any additional
binaries, and leverages PowerShell
(already on the system and approved to
be there) to do the dirty work.
52. @NTXISSA #NTXISSACSC3
SIPLockr ā 1st Android Encrypting Ransomware
ā¢ Detected June 1st, 2014
ā¢ Lots of Android Screen Lockers, but
this was the first file encrypter.
ā¢ Encrypts *.jpg, *.jpeg, & *.png
to *.enc
ā¢ Communicates to C2 via Tor network
ā¢ Decrypter is currently available.